Proofpoint [2] [3] [4] [7], a cybersecurity company [3], has recently discovered a new malware strain called ZenRAT. This modular remote access trojan (RAT) specifically targets Windows computers and disguises itself as a fake installation package of Bitwarden, a popular password manager [2] [3] [6] [7].


Hackers have been using a fake Bitwarden download page to target Windows users with ZenRAT [1]. The malware steals information from compromised systems, including CPU and GPU names [7], operating system version [3] [5] [7], browser passwords [7], and installed applications [7]. It is still unclear how the malware is being distributed [1], but it has been delivered through SEO poisoning [1], adware bundles [1], or email in the past [1].

The fake site closely resembles the real Bitwarden website and only displays the fake download if accessed from a Windows host [1]. Non-Windows users are redirected to a legitimate website [1]. The payload is downloaded from a domain called crazygamesis[. [1]]com. The trojanized copy of Bitwarden’s installation package includes the ZenRAT .NET executable [1].

ZenRAT collects information about the host system and sends it to its command-and-control server [1] [6]. The malware also runs anti-sandbox and anti-VM checks to ensure it operates safely [2].


To protect against ZenRAT and similar threats, users are advised to only download software from trusted sources and be cautious of ads in search engine results [1]. It is crucial to stay vigilant and implement strong cybersecurity practices to mitigate the risks posed by malware attacks.